The present invention relates to computer security, and more particularly to preventing unwanted windows drivers from being loaded and/or executed.
Allowing a new driver (signed or unsigned) to access the kernel can completely disarm a security product and make it useless. Presently, there is no method for preventing drivers, particularly signed drivers from being loaded into an operating system (OS) kernel layer. Consequently, hackers find different ways of bypassing driver signature enforcement, such as stolen code signing certificates being used for signing malicious drivers, and various methods of bypassing driver signing enforcement in Windows® OS kernel space. Simply a signed driver with access to kernel can disarm all endpoint security products. All endpoint security products and anti-viruses are vulnerable to this attack.
When improving the security of Windows® operating system (OS) software, it is desirable to prevent new drivers from being loaded in and accessing the kernel space in Windows®. Windows® API and Windows® documentation does not provide any way of doing so.
As can be seen, there is a need for a system and method for selectively blocking unwanted drivers from being loaded and/or executed in kernel space.